The READMEs of the abovementioned tools have instructions how to do this. If your client relies on the OS's truststore, then the attacker will be able to insert his own certificate into the truststore, and your client will not notice anything. Tools like fiddler, charles or mitmproxy redirect your traffic to themselves, present a faked certificate to the client, decrypt the traffic, log it, re-encrypt it, and send it to the original site. Https is only secure if you prevent MITM attacks. If your URL is, and your api always returns pages between 10 bytes, seeing 1007 bytes returned won't help anyone determine user or password or how to enter a highscore. But, as you want to put some parameters into the URL and hide those, this isn't a big attack vector in your case. If someone could get at your URLs by walking your site, and compare the size of the returned pages with the size of what's returned in your encrypted page, they could make assumptions about which page your program called. The https URLs you've seen were probably the URLs of CRLs or OCSPs.
Also, you'll be able to see some parts of certificates. Using wireshark, you will be able to find out the host name, as mentioned by some other answers, due to SNI. Usually the Referer is stripped when linking from https to http, but if the attacker controls one of the sites linked with https he might be able to find out where the link came from, that is the site you've accessed.īut in most cases you are pretty safe with HTTPS, at least much safer than with plain HTTP.
All modern clients use SNI because this is the only way to have different hosts with their own certificates behind the same IP address. With HTTPS the path and query string of the URL is encrypted, while the hostname is visible inside the SSL handshake as plain text if the client uses Server Name Indication (SNI).
0 kommentar(er)
